Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

varnish: drop response cookies if we dropped request cookies

Browse source 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk 2016-04-11 14:44:40 +00:00
parent 1497bbd428
commit 1a3df38b19
1 changed files with 39 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

39
roles/varnish/templates/proxy.vcl.j2
View file

@ -160,6 +160,12 @@ sub vcl_synth {
return (deliver);
}
# CAUTIN: Make very sure that for every unset req.http.cookie, you
# also set a req.http.clear-cookies = "yes", and in *no other case*.
# This is done to prevent the case where Varnish drops the cookies
# because this is the efficient thing to do to allow more caching,
# but then the backend sends a new session cookies back, overwriting
# the one the browser had already.
sub vcl_recv {
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
@ -175,6 +181,7 @@ sub vcl_recv {
set req.backend_hint = wiki;
if (req.url ~ "^/w/skins/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -185,6 +192,7 @@ sub vcl_recv {
set req.backend_hint = pkgdb;
if (req.url ~ "^/pkgdb/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -192,6 +200,7 @@ sub vcl_recv {
set req.backend_hint = fas.backend();
if (req.url ~ "^/accounts/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -199,6 +208,7 @@ sub vcl_recv {
set req.backend_hint = voting;
if (req.url ~ "^/voting/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -206,10 +216,12 @@ sub vcl_recv {
set req.backend_hint = mirrormanager;
if (req.url ~ "^/mirrormanager/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
if (req.url ~ "^/mirrormanager/mirrors") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -217,6 +229,7 @@ sub vcl_recv {
set req.backend_hint = bodhi;
if (req.url ~ "^/updates/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -227,6 +240,7 @@ sub vcl_recv {
set req.backend_hint = tagger;
if (req.url ~ "^/tagger/ui/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -234,10 +248,12 @@ sub vcl_recv {
set req.backend_hint = paste;
if (req.url ~ "^/skins/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
if (req.url ~ "^/addons/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -245,6 +261,7 @@ sub vcl_recv {
set req.backend_hint = askbot;
if (req.url ~ "^/m/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -253,6 +270,7 @@ sub vcl_recv {
set req.backend_hint = blockerbugs;
if (req.url ~ "^/blockerbugs/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -262,6 +280,7 @@ sub vcl_recv {
set req.backend_hint = koschei;
if (req.url ~ "^/koschei/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -269,6 +288,7 @@ sub vcl_recv {
set req.backend_hint = kerneltest;
if (req.url ~ "^/kerneltest/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -276,6 +296,7 @@ sub vcl_recv {
set req.backend_hint = fedocal;
if (req.url ~ "^/calendar/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -283,10 +304,12 @@ sub vcl_recv {
set req.backend_hint = nuancier;
if (req.url ~ "^/nuancier/static/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
if (req.url ~ "^/nuancier/cache/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -294,18 +317,22 @@ sub vcl_recv {
set req.backend_hint = packages;
if (req.url ~ "^/packages/_res/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
if (req.url ~ "^/packages/css/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
if (req.url ~ "^/packages/images/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
if (req.url ~ "^/packages/js/") {
unset req.http.cookie;
set req.http.clear-cookies = "yes";
set req.url = regsub(req.url, "\?.*", "");
}
}
@ -357,6 +384,18 @@ sub vcl_backend_response {
}
}
sub vcl_deliver {
if (req.http.clear-cookies ~ "yes") {
# If we stored that we cleared request cookies, we also make sure
# we are not sending any response cookies.
# NOTE: this is suboptimal, since clearing them at this time means
# varnish has already cached that this endpoint returns cookies and
# will not cache it. This is really just a failsafe to make sure we
# don't send empty cookies back.
unset resp.http.set-cookie;
}
}
sub vcl_pipe {
set req.http.connection = "close";
}